Menu
With the following privacy policy, we want to inform you about the types of your personal data (hereinafter referred to as “data”) that we process, for what purposes and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the provision of our services and particularly on our websites, mobile applications, and external online presences such as our social media profiles (collectively referred to as “online offerings”). The terms used are not gender-specific.
Effective date: March 9th, 2022
Ragnar Kruse
AI for Hamburg GmbH
Neuer Jungfernstieg 5
20354 Hamburg, Deutschland
Vertretungsberechtigte Personen:
Ragnar Kruse
E-Mail-Adresse:
Legal Notice:
https://wysiwyg.aistartuphub.com/legal-notice/
The following overview summarizes the types of data processed and the purposes of their processing, referring to the affected parties.
The following provides an overview of the legal basis of the GDPR, on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection requirements may apply in your or our country of residence. If there are more specific legal bases that are relevant in individual cases, we will inform you of these in the data protection declaration.
This is a summary of the legal basis for processing personal data under the General Data Protection Regulation (GDPR) and the data protection law of the Evangelical Church in Germany (DSG-EKD). The legal bases include:
In addition to the data protection regulations of the General Data Protection Regulation, national data protection regulations apply in Germany. This includes in particular the Law for the protection against misuse of personal data during data processing (Bundesdatenschutzgesetz – BDSG). The BDSG contains in particular special regulations regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, the processing for other purposes and transmission as well as automated decision making in individual cases including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG), especially with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. In addition, state data protection laws of the individual federal states may apply.
“We take appropriate technical and organisational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.
Measures include in particular ensuring confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data threats. We also consider data protection when developing or selecting hardware, software, and procedures, in accordance with the principle of data protection, by design and through privacy-friendly settings.
SSL encryption (https): To protect data transmitted via our online offer, we use SSL encryption. You can recognise encrypted connections by the prefix https:// in the address bar of your browser.”
As part of our processing of personal data, it may be necessary to transmit or disclose the data to other entities, companies, legally independent organizational units or individuals. Recipients of such data may include service providers or content providers with IT-related tasks or services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with data recipients to ensure the protection of your data.
Transmission of data within the company group: We may transmit personal data to other companies within our company group or grant them access to such data. If such transfer is for administrative purposes, it is based on our legitimate business and economic interests, or it is necessary to fulfill our contractual obligations, or if the consent of individuals concerned or a legal permission is obtained.
Transmission of data within the organization: We may transmit personal data to other entities within our organization or grant them access to such data. If such transfer is for administrative purposes, it is based on our legitimate business and economic interests, or it is necessary to fulfill our contractual obligations, or if the consent of individuals concerned or a legal permission is obtained.
Cookies are small text files or other storage marks that store information on end devices and read information from end devices. For example, they can store the login status in a user account, the contents of a shopping cart in an online shop, the content accessed or functions used in an online offer. Cookies can also be used for different purposes such as functionality, security and convenience of online offers as well as the creation of visitor flow analysis.
Information on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless it is not required by law. Consent is not required, in particular, if the storage and reading of information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e. our online offering) explicitly requested by them. The revocable consent is communicated clearly to users and contains information about the respective cookie usage.
Information on data protection legal bases: The legal basis on which we process user’s personal data via cookies depends on whether we ask for their consent. If users give their consent, the legal basis for processing their data is their declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (such as operating our online service as a business and improving its usability), or if the use of cookies is necessary to fulfill our contractual obligations. We will explain the purposes for which we process cookies in this privacy policy or as part of our consent and processing processes.
In regards to storage duration, the following types of cookies are distinguished: temporary cookies (also known as session cookies), which are deleted at the latest after a user leaves an online offer and closes his device (such as a browser or mobile application). Permanent cookies, on the other hand, remain stored even after the device is closed. For example, login status can be saved or preferred content can be displayed directly when the user revisits a website. The data collected through cookies can also be used for measuring the range of users. If we do not explicitly provide users with information about the type and storage duration of cookies (e.g. in the context of obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.
General Information on Revocation and Objection (Opt-Out): Users can revoke their consent given at any time and also file an objection to the processing in accordance with the legal requirements of Art. 21 GDPR (further information on the objection will be provided within the scope of this privacy policy). Users can also declare their objection by means of the settings of their browser.
Further information on processing procedures, methods and services: We use a procedure for cookie consent management that collects and manages user consent for the use of cookies and the processing and providers mentioned within the cookie consent management procedure. The consent declaration is kept to avoid repeated requests and to provide legal proof of consent. The storage can be on the server and/or in a cookie (also known as an opt-in cookie or similar technology) to assign consent to a user or device. Individual providers of cookie management services may differ, but in general, the consent can be stored for up to two years with a pseudonymous user identifier, the date and time of consent, details on the extent of consent (e.g. which categories of cookies or service providers) and details on the browser, system and device used. Cookiebot is the provider of our cookie consent management service, based in Denmark. Additional information on the data stored by Cookiebot can be found on their website and privacy policy:https://www.cookiebot.com/en/privacy-policy/
Further information: Stored data (on the service provider’s server): The user’s IP number in anonymized form (the last three digits are set to 0), date and time of consent, browser information, the URL from which consent was sent, an anonymous, random and encrypted key value; the user’s consent status.
To ensure the safe and efficient provision of our online services, we utilize the services of one or more web hosting providers whose servers (or managed servers) can be accessed for our online offerings. To this end, we may employ infrastructure and platform services, computing capacity, storage space and database services, as well as security and technical maintenance services.
The data processed within the scope of the hosting services can include all information that pertains to the users of our online offerings and that arises in connection with their use and communication. This regularly includes the IP address, which is necessary to deliver content from online offerings to browsers, as well as all input made within our online offerings or on other websites.
The following is a brief summary in English:
Processed data types: Content data (e.g. inputs in online forms), usage data (e.g. visited web pages, interest in content, access times), and meta/communication data (e.g. device information, IP addresses). Affected individuals are users (e.g. website visitors, users of online services). The purposes of data processing include providing our online offerings and user-friendliness, providing contractual services, and customer service. The legal basis for processing is legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO).
Additional information on processing processes, procedures and services:
– Email sending and hosting: the web hosting services we use also include sending, receiving, and storing emails. For these purposes, recipient and sender addresses as well as other information related to email sending (such as involved providers) and the contents of each email are processed. The aforementioned data can also be processed for the purpose of detecting spam. Please note that emails sent over the internet are generally not encrypted. Emails are typically encrypted during transport, but (unless end-to-end encryption is used) not on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the transmission of emails between the sender and recipient on our server.
– Collection of access data and log files: we (or our web hosting provider) collect data on each access to the server (so-called server log files). Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data amounts, message about successful access, user’s browser type and version, operating system, Referrer URL (previously visited page) and, in most cases, IP addresses and the requesting provider. Server log files can be used for security purposes, such as to avoid server overload (especially in cases of misuse or DDoS attacks), as well as to ensure server capacity and stability. Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data required for evidence purposes is exempt from deletion until the final clarification of the respective incident.
– WordPress.com: hosting platform for blogs/websites; Service provider: Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA; Website: https://wordpress.com; Privacy Policy: https://automattic.com/de/privacy/; Data processing agreement: concluded with provider: https://wordpress.com/support/data-processing-agreements/.
– Hetzner: services in the field of providing information technology infrastructure and related services (such as storage space and/or computing capacities); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy Policy: https://www.hetzner.com/de/rechtliches/datenschutz; Data processing agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
Users can create a user account. During registration, users are provided with the necessary mandatory information and this information is processed for the purpose of providing the user account based on contractual obligation. The processed data includes login information (username, password, and email address).
In the context of using our registration and login functions, as well as using the user account, we store the IP address and the time of the respective user action. Storage is based on our legitimate interests as well as the interests of users in protecting against abuse and other unauthorized use. These data are generally not passed on to third parties, unless it is necessary to pursue our claims or there is a legal obligation to do so.
Users can be informed by email about events that are relevant to their user account, such as technical changes.
The processed types of data include personal data like names and addresses, contact information such as email and phone numbers, content data like inputs in online forms, and meta/communication data like device information and IP addresses.
The affected persons are users, such as website visitors and users of online services. The purposes of processing are to provide contractual services and customer support, security measures, and management and response to inquiries. The legal basis for the processing is fulfillment of the contract and pre-contractual inquiries (Art. 6 para. 1 lit. b GDPR) and legitimate interests (Art. 6 para. 1 lit. f GDPR).
Further information on processing procedures, processes, and services include: registration with real names, visibility of profiles can be adjusted, data is deleted after the termination of user accounts, and there is no obligation to retain data. Users are responsible for securing their data before contract termination, and the platform is authorized to permanently delete all stored user data during the contract period.
When contacting us (e.g. via contact form, email, telephone, or social media) or within existing user and business relationships, personal data of the requesting individuals will be processed as far as necessary for the purpose of answering the contact requests and any requested measures.
Answering contact requests and managing contact and request data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer contractual inquiries. Furthermore, we have a legitimate interest in answering inquiries and maintaining user or business relationships.
The legal basis for the processing is the fulfillment of contracts and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO), and legal obligations (Art. 6 para. 1 sentence 1 lit. c. DSGVO).
The text also provides information on the processing of personal data through contact forms and the use of HubSpot, a software for customer management, process and sales support, and communication with customers.
Contact form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the matter communicated. For this purpose, we process personal data in the context of pre-contractual and contractual business relations, to the extent necessary for their fulfillment and otherwise based on our legitimate interests and the interests of communication partners in responding to inquiries and our legal retention obligations.
HubSpot: Software for customer management, process and sales support (multichannel communication, i.e. management of customer inquiries from various channels, sales, process management, analyses, feedback and survey functions); Service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Website: https://www.hubspot.de; Privacy policy: https://legal.hubspot.com/de/privacy-policy; Data processing agreement: https://legal.hubspot.com/dpa; Standard Contractual Clauses (Ensuring the Level of Data Protection when Processing in Third Countries): https://legal.hubspot.com/dpa.
We use platforms and applications of other providers (hereinafter referred to as “conference platforms”) for the purpose of conducting video and audio conferences, webinars, and other types of video and audio meetings (hereinafter collectively referred to as “conference”). When selecting conference platforms and their services, we comply with legal requirements.
Through conference platforms processing data: As part of participating in a conference, the conference platforms process the personal data of participants mentioned below. The extent of processing depends on the data required for a specific conference (e.g. access data or clear names) and the optional information provided by the participants. In addition to processing for the purpose of conducting the conference, the data of participants can also be processed by conference platforms for security or service optimization purposes. The processed data include personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information about the participant’s professional position/function, the IP address of the internet access, information about the participants’ end devices, their operating system, browser, technical and language settings, information about communication processes (i.e. chat inputs as well as audio and video data), as well as the use of other available functions (e.g. surveys). Content of communications is encrypted to the extent provided for by the conference provider’s technical capabilities. If participants are registered as users with conference platforms, additional data can be processed in accordance with the agreement with the respective conference provider.
The following message is about privacy, data protection, and the use of conference platforms. Participants will be informed transparently in advance about the recording of text inputs, survey results, videos, or audio recordings and will be asked for their consent if necessary.
Participants are responsible for selecting optimal security and privacy settings for conference platforms and ensuring data and personal protection during the conference by informing housemates, locking doors, and using background anonymity functions where possible. Links and access credentials to conference rooms should not be shared with unauthorized third parties.
Our processing of user data may also require user consent for using conference platforms or certain features, and for fulfilling our contractual obligations. Otherwise, we process user data based on our legitimate interests in efficient and secure communication with our communication partners.
The message describes different types of data that are processed, including inventory data, contact data, content data, usage data, and meta/communication data.
The processing of this data affects communication partners and users, including website visitors and users of online services. The purposes of processing include the provision of contractual services and customer service, contact inquiries and communication, and office and organizational procedures. The legal bases for processing this data include consent, contract fulfillment, and pre-contractual inquiries, and legitimate interests.
These legal bases are established under GDPR Article 6 paragraph 1 sentence 1, and they provide a framework for the legal processing of personal data within the European Union.
Further information on processing processes, procedures, and services: Google Hangouts/Meet: Messaging and conferencing software, Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://hangouts.google.com/; Privacy Policy: https://policies.google.com/privacy; Data processing agreement: https://workspace.google.com/terms/dpa_terms.html; Standard Contractual Clauses (Assurance of Data Protection Level for Processing in Third Countries): https://cloud.google.com/terms/eu-model-contract-clause. Microsoft Teams: Messaging and conferencing software, Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://products.office.com/; Privacy Policy: https://privacy.microsoft.com/de-de/privacystatement, Security Information: https://www.microsoft.com/de-de/trustcenter; Standard Contractual Clauses (Assurance of Data Protection Level for Processing in Third Countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA. Slack: Messaging and conferencing software, Service provider: Slack Technologies, Inc., 500 Howard Street, San Francisco, CA 94105, USA; Website: https://slack.com/intl/de-de/; Privacy Policy: https://slack.com/intl/de-de/legal; Data processing agreement: https://slack.com/intl/de-de/terms-of-service/data-processing; Standard Contractual Clauses (Assurance of Data Protection Level for Processing in Third Countries): https://slack.com/intl/de-de/terms-of-service/data-processing. Zoom: Video conferencing, web conferencing, and webinars; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Website: https://zoom.us/; Privacy Policy: https://zoom.us/docs/de-de/privacy-and-legal.html; Data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA); Standard Contractual Clauses (Assurance of Data Protection Level for Processing in Third Countries): https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA).
The application process requires applicants to provide us with the necessary data for their evaluation and selection. The required information can be found in the job description or in the case of online forms, in the provided information.
Typically, the necessary information includes personal information such as name, address, contact information, and evidence of the required qualifications for the position. We are happy to provide additional information on specific requirements upon request.
Applicants may submit their applications through an online form if provided. The data is transmitted to us in an encrypted manner using the latest technology. However, if applicants choose to submit their applications via email, we cannot guarantee the security of transmission. We may use applicant management or recruitment software, platforms and services of third party providers for recruitment purposes, in compliance with legal requirements.
Applicants are welcome to contact us to discuss alternative methods of application submission, or send their application by mail.
Processing of special categories of data: Insofar as special categories of personal data in accordance with Art. 9 (1) GDPR (such as health data, e.g. severe disability status or ethnic origin) are requested from applicants as part of the application process, so that the controller or the data subject can exercise his or her rights arising from labour law and the law of social security and social protection and fulfil his or her obligations in this regard, their processing is carried out in accordance with Art. 9 (2) (b) GDPR. In the case of protecting the vital interests of applicants or other persons in accordance with Art. 9 (2) (c) GDPR, or for the purposes of preventive or occupational medicine, for the assessment of the employee’s capacity to work, for medical diagnosis, for health or social care or treatment, or for the management of health or social care systems and services in accordance with Art. 9 (2) (h) GDPR. In the case of voluntary consent to the communication of special categories of data, their processing is based on Art. 9 (2) (a) GDPR.
Deletion of data: The data provided by applicants can be further processed by us for the purposes of the employment relationship in the event of a successful application. Otherwise, if the application for a job offer is not successful, the applicant’s data will be deleted. The data of applicants will also be deleted if an application is withdrawn, to which the applicants are entitled at any time. Deletion will take place, subject to legitimate revocation by the applicants, no later than after a period of six months, so that we can answer any follow-up questions regarding the application and comply with our obligations under the equal treatment of applicants regulations. Invoices for any travel expense reimbursements are archived in accordance with tax regulations.
Inclusion in an applicant pool: Inclusion in an applicant pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process, and can be revoked at any time in the future.
Duration of data storage in the applicant pool in months: 6 months
Processed data types: Applicant data (e.g. personal information, postal and contact addresses, application documents and the information contained therein such as cover letters, CVs, certificates, as well as other information voluntarily provided by applicants regarding their person or qualifications for a specific position).
Affected persons: Applicants.
Purposes of processing: Application process (establishment and potential future execution, as well as potential future termination of the employment relationship).
Legal bases: Application process as a pre-contractual or contractual relationship (Art. 9 para. 2 lit. b GDPR).
Further information on processing processes, procedures, and services:
– LinkedIn Recruiter: Job search and application-related services within the LinkedIn platform. Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
– Stepstone: Recruiting platform and services. Service provider: StepStone Deutschland GmbH, Völklinger Straße 1, 40219 Düsseldorf, Germany.
– Xing: Job search and application-related services within the Xing platform. Service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany.
We use software services accessible via the internet and operated on their providers’ servers (known as “cloud services” or “Software as a Service”) for the following purposes: document storage and management, calendar management, email sending, spreadsheets, and presentations, exchanging documents, content and information with specific recipients, publishing web pages, forms or other content and information, as well as chats and participating in audio and video conferences.
Personal data may be processed and stored on the servers of providers to the extent that they are part of communication processes with us or otherwise processed by us as outlined in this privacy statement. This data may include, in particular, master data and contact information of users, data relating to transactions, contracts, or other processes and their contents. Cloud service providers also process usage data and metadata to improve security and optimize services.
If we provide forms or other documents and content for other users or publicly accessible websites using cloud services, providers may store cookies on users’ devices for web analysis purposes or to remember user settings (e.g., media control).
Hints on legal bases: If we ask for consent to use cloud services, the legal basis for processing is consent. Furthermore, their use may be part of our (pre)contractual services if the use of cloud services has been agreed in this context. Otherwise, user data is processed based on our legitimate interests (i.e., interest in efficient and secure administrative and collaboration processes). Processed data types include master data (e.g., names, addresses), contact data (e.g., e-mail, phone numbers), content data (e.g., entries in online forms), usage data (e.g., visited websites, interest in content, access times), and meta/communication data (e.g., device information, IP addresses). Affected parties include customers, employees (e.g., employees, applicants, former employees), prospects, and communication partners. Purposes of processing include office and organizational procedures. Legal bases include consent (Art. 6 para. 1 sentence 1 lit. a GDPR), contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR).
Additional information on processing procedures, procedures, and services: Google Workspace: Cloud-based application software (e.g., text and spreadsheet processing, appointment and contact management), cloud storage and cloud infrastructure services; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/; privacy policy: https://cloud.google.com/terms/cloud-privacy-notice, security notes: https://cloud.google.com/security/privacy; data processing agreement: https://workspace.google.com/terms/dpa_terms.html; standard contractual clauses (ensuring the level of data protection when processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause.
We only send newsletters, emails and other electronic notifications (hereinafter “newsletters”) with the consent of the recipients or with legal permission. If the contents of the newsletter are specifically described as part of a registration process, they are binding for the users’ consent. Otherwise, our newsletters contain information about our services and us.
To subscribe to our newsletters, it is generally sufficient to provide your email address. However, we may ask you to provide a name for personal address in the newsletter or other information, if necessary for the purposes of the newsletter.
Double opt-in procedure: The registration for our newsletter is generally done via a so-called double opt-in procedure. This means that after registration, you will receive an email asking you to confirm your registration. This confirmation is necessary so that no one can register with someone else’s email address. The registrations for the newsletter are logged in order to be able to demonstrate the registration process in accordance with legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Changes to your data stored by the dispatch service provider are also logged.
Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to provide proof of a previously given consent. Processing of this data will be restricted for the purpose of possible defense against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed. In the case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.
The logging of the registration process is carried out on the basis of our legitimate interests for the purpose of proving its proper course. If we engage a service provider for the dispatch of emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch system.
Legal basis information: The sending of newsletters is based on consent of the recipients or, if consent is not required, on the basis of our legitimate interests in direct marketing, to the extent that this is legally permissible, for example in the case of advertising to existing customers. If we engage a service provider for the dispatch of emails, this is done on the basis of our legitimate interests in an efficient and secure dispatch. The registration process is recorded on the basis of our legitimate interests in order to prove that it was carried out in accordance with the law.
Contents:
Information about us, our services, promotions, and offers.
Processed data types: Master data (e.g. names, addresses); contact data (e.g. email, phone numbers); meta/communication data (e.g. device information, IP addresses); usage data (e.g. visited websites, interest in content, access times).
Persons concerned: communication partners; users (e.g. website visitors, users of online services).
Purposes of processing: direct marketing (e.g. by email or post); range measurement (e.g. access statistics, detection of recurring visitors); conversion measurement (measurement of the effectiveness of marketing measures); profiles with information relating to users (creation of user profiles).
Legal bases: consent (Art. 6 para. 1 sentence 1 lit. a GDPR); legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Possibility of objection (opt-out): You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can use one of the contact options given above, preferably email, for this purpose.
Further information on processing processes, procedures, and services:
Measurement of opening and click rates: The newsletters contain a so-called “web beacon”, which is a pixel-sized file that is retrieved from our server or, if we use a delivery service provider, from their server when the newsletter is opened. As part of this retrieval, technical information such as information about the browser and your system, as well as your IP address and the time of retrieval, is initially collected. This information is used for technical improvement of our newsletter based on technical data or target groups and their reading behavior based on their retrieval locations (which can be determined using the IP address) or access times. This analysis also includes determining whether the newsletters are opened, when they are opened, and which links are clicked. This information is assigned to the individual newsletter recipients and stored in their profiles until they are deleted. The evaluations help us to recognize the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users. The measurement of the opening rates and click rates as well as the storage of the measurement results in the users’ profiles and their further processing is based on the users’ consent. A separate revocation of the success measurement is unfortunately not possible, in this case the entire newsletter subscription must be canceled, or an objection must be made to it. In this case, the stored profile information will be deleted.
Additionally, the message explains that Google Analytics and HubSpot are used for email marketing campaigns and the creation of user profiles, with information available about the data processing and privacy policies of these services.
We process personal data for the purpose of advertising communication, which can take place through various channels, such as email, telephone, post or fax, in accordance with legal requirements.
Recipients have the right to revoke granted consent at any time or to object to marketing communication at any time. After revocation or objection, we can store the data required to prove consent for up to three years on the basis of our legitimate interests before we delete it. The processing of this data is limited to the purpose of possible defence against claims. An individual request for deletion is possible at any time, provided that the former existence of consent is confirmed.
Processed data types include master data (e.g. names, addresses) and contact data (e.g. email, phone numbers), with communication partners affected. The purposes of processing are direct marketing (e.g. by email or post) and the legal basis is consent (Art. 6 para. 1 sentence 1 lit. a GDPR) and legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
The surveys and questionnaires (hereinafter referred to as “surveys”) conducted by us are evaluated anonymously. Processing of personal data only takes place to the extent necessary for the provision and technical implementation of the surveys (e.g., processing of the IP address to display the survey in the user’s browser or to enable the resumption of the survey using a temporary cookie (session cookie)) or if the user has consented. Where we ask participants to consent to the processing of their data, this is the legal basis for the processing; otherwise, the processing of participants’ data is based on our legitimate interests in conducting an objective survey.
The data processed includes contact details (e.g., email, telephone numbers), content data (e.g., entries in online forms), usage data (e.g., visited web pages, interest in content, access times), and meta/communication data (e.g., device information, IP addresses). Communication partners are affected.
The purposes of the processing are contact enquiries and communication, direct marketing (e.g., by email or post). The legal basis for this is consent (Art. 6 para. 1 sentence 1 lit. a DSGVO); legitimate interests (Art. 6 para. 1 sentence 1 lit. f DSGVO).
Further information about processing procedures, procedures and services is provided:
Google Forms: Creation and evaluation of online forms, surveys, feedback forms, etc; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Parent Company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.google.de/intl/en/forms; Privacy policy: https://policies.google.com/privacy; Data Processing Agreement: https://workspace.google.com/terms/dpa_terms.html; Standard Contractual Clauses (Ensuring Data Protection Level when Processing in Third Countries): https://cloud.google.com/terms/eu-model-contract-clause.
Typeform: Creation of forms and surveys and management of participant contributions; Service provider: TYPEFORM SL, Carrer Bac de Roda, 163, local, 08018 – Barcelona, Spain; Website: https://www.typeform.com/; Privacy policy: https://admin.typeform.com/to/dwk6gt/.
Web analysis (also known as “traffic measurement”) is used to evaluate visitor traffic on our online offering, and can include pseudo-anonymous information about the behavior, interests, or demographics of visitors, such as age or gender. Through traffic analysis, we can, for example, determine the most frequent times our online offering or its features or content are used, and invite reuse. We can also understand which areas require optimization.
In addition to web analytics, we can use testing procedures to test and optimize different versions of our online offering or its components. Unless otherwise specified below, profiles may be created for these purposes, i.e., data summarized for one use is stored in a browser or end device, and information is stored and read from that device.
The data collected includes, in particular, visited websites and elements used, as well as technical information such as the browser used, the computer system used, and information about usage times. If users have agreed to share their location data with us or with the providers of the services we use, location data may also be processed.
User IP addresses are also stored, but we use an IP masking procedure (i.e., pseudonymization through shortening of the IP address) to protect users. In general, we do not store any direct user data (such as email addresses or names) in the context of web analysis, A/B testing, and optimization, but rather pseudonyms. That is, neither we nor the providers of the software we use know the actual identity of the user, but only the information stored in their profiles for the purposes of their respective processes.
Hints on legal bases: If we ask users to consent to the use of third-party providers, the legal basis for the processing of data is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, cost-effective and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this data protection declaration.
Processed data types include:
Usage data (e.g. visited websites, interest in content, access times)
Meta/communication data (e.g. device information, IP addresses).
Affected persons are users (e.g. website visitors, users of online services).
The processing purposes are range measurement (e.g. access statistics, recognition of repeat visitors) and profiling with user-related information (creation of user profiles).
Security measures include IP-masking (pseudonymisation of the IP address). Legal bases are consent (Art. 6 para. 1 sentence 1 lit. a of the GDPR) and legitimate interests (Art. 6 para. 1 sentence 1 lit. f of the GDPR).
Further information on processing processes, procedures and services is also provided:
Google Analytics is a web analysis and user flow measurement tool provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, with the parent company being Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The website for this service is https://marketingplatform.google.com/intl/de/about/analytics/ and their privacy policy is located at https://policies.google.com/privacy. A data processing agreement can be found at https://business.safety.google/adsprocessorterms and standard contractual clauses for ensuring a level of data protection when processing data in third countries are also available at this link. Users have the option to opt-out of this service with the Opt-Out plugin located at https://tools.google.com/dlpage/gaoptout?hl=de along with settings for displaying advertising at https://adssettings.google.com/authenticated. More information about the types of data processed and how they are used can be found at https://privacy.google.com/businesses/adsservices. In consent mode, users’ personal data is processed by Google for measurement and advertising purposes based on their consent. Consent is obtained by users through our online services. If consent is not given by the user, data will only be processed on an aggregated level. When consent only covers statistical measurement, personal data is not used for ad display or measurement of ad success (known as “conversion”). More information on this can be found at https://support.google.com/analytics/answer/9976101?hl=de.
We maintain online presences within social networks and process users’ data in this context to communicate with users active there or to provide information about us.
We would like to point out that the users’ data may be processed outside the European Union. This can result in risks for users, such as making it more difficult to enforce users’ rights. Furthermore, user data is usually processed within social networks for market research and advertising purposes, such as creating usage profiles based on users’ behavior and resulting interests, and using these profiles to display ads both within and outside the networks that presumably correspond to users’ interests. For these purposes, cookies are usually stored on users’ computers, in which usage behavior and interests are saved. Data can also be stored in usage profiles independently of the devices used by users (especially if users are members of the respective platforms and are logged into them).
For a detailed presentation of the respective processing methods and options for objection (opt-out), we refer to the privacy policies and information of the operators of the respective networks.
In the case of requests for information and the assertion of data subjects’ rights, we would like to point out that these are most effectively asserted with the providers.
Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.
Data types processed include contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. visited web pages, interest in content, access times); meta/communication data (e.g. device information, IP addresses). Data subjects include users (e.g. website visitors, users of online services). Purposes of processing include contact requests and communication; feedback (e.g. collecting feedback via online form); marketing. Legal bases include legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Further information on processing processes, procedures and services can be found in the document:
Instagram: Social network; Service Provider: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA; Website: https://www.instagram.com; Legal privacy: https://instagram.com/about/legal/privacy.
Facebook pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data from visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content users view or interact with, or the actions they take (see under “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called “Page Insights,” to Page operators to provide them with insights into how people interact with their Pages and with content associated with them. We have entered into a special agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill the data subject rights (i.e., users can, for example, direct information or deletion requests to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority), are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Standard contractual clauses (ensuring level of data protection in case of processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Shared Responsibility Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.
LinkedIn: social network; service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Order processing agreement: https://legal.linkedin.com/dpa; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://legal.linkedin.com/dpa; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Twitter: social network; service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; parent company: Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; privacy policy: https://twitter.com/privacy, (settings: https://twitter.com/personalization).
YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy: https://policies.google.com/privacy; opt-out: https://adssettings.google.com/authenticated.
Xing: Social network; service provider: XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany; Website: https://www.xing.de; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung.
We include functional and content elements from servers of their respective providers (hereinafter referred to as “third-party providers”) into our online offerings. This can include, for example, graphics, videos or maps (hereinafter referred to jointly as “content”).
The integration always requires that the third-party providers processing the IP address of the user, as they could not send the content to the user’s browser without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only those contents whose respective providers use the IP address solely for the delivery of the contents. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. The “pixel tags” can be used to evaluate information such as visitor traffic to the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device, which, among other things, contain technical information about the browser and operating system, referring websites, visit time, and additional information on the use of our online offerings, as well as linked with information from other sources.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is consent. Otherwise, users’ data is processed on the basis of our legitimate interests (i.e. interest in efficient, economical and recipient-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy.
Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses); inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: provision of our online offer and user-friendliness; provision of contractual services and customer service; marketing; profiles with user-related information (creation of user profiles).
Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO); Contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b. DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).
Further guidance on processing operations, procedures and services:
Google Maps: We integrate the maps of the service “Google Maps” of the provider Google. The data processed may include, in particular, IP addresses and location data of the users, which, however, are not collected without their consent (usually executed as part of the settings of their mobile devices); service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://cloud.google.com/maps-platform; privacy policy: https://policies.google.com/privacy; opt-out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://adssettings.google.com/authenticated.
LinkedIn plugins and content: LinkedIn plugins and content- This may include, for example, content such as images, videos or text and buttons that allow users to share content from this online offering within LinkedIn; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Order processing agreement: https://legal.linkedin.com/dpa; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://legal.linkedin.com/dpa; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Twitter plugins and content: Twitter plugins and buttons – This may include, for example, content such as images, videos or texts and buttons with which users can share content of this online offering within Twitter; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, Parent Company: Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; website: https://twitter.com/de; privacy policy: https://twitter.com/privacy, (settings: https://twitter.com/personalization).
YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Website: https://www.youtube.com; Privacy policy: https://policies.google.com/privacy; Opt-out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de, Ad Display Settings: https://adssettings.google.com/authenticated.
We use services, platforms, and software provided by third-party providers for the purpose of organizing, managing, planning, and delivering our services. When selecting third-party providers and their services, we comply with legal requirements.
Within this context, personal data may be processed, and may be stored on the servers of third-party providers. This may include various data that we process in accordance with this privacy policy, such as master data and contact data of users, data on processes, contracts, other processes, and their contents.
If users refer to the third-party providers or their software or platforms in the course of communication, business, or other relationships with us, the third-party providers may process usage data and metadata for security purposes, service optimization, or marketing purposes. We therefore ask you to read the privacy policies of the respective third-party providers.
Notes on legal bases: If we ask users for their consent to use third-party providers, the legal basis for processing data is the consent. In addition, their use may be part of our (pre) contractual services if the use of third-party providers has been agreed within this framework. Otherwise, the users’ data will be processed based on our legitimate interests (i.e. interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this Privacy Policy.
Processed data types: Master data (e.g. names, addresses); Contact data (e.g. e-mail, phone numbers); Content data (e.g. entries in online forms); Usage data (e.g. visited websites, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
Persons concerned: Communication partners, users (e.g. website visitors, users of online services), employees (e.g. employees, applicants, former employees), business and contractual partners.
Purposes of processing: Reach measurement (e.g. access statistics, recognition of repeat visitors); profiles with user-related information (creation of user profiles); office and organizational procedures; feedback (e.g. collection of feedback via online form).
Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a. DSGVO); Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. DSGVO); Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. DSGVO); Contract fulfillment and pre-contractual inquiries (EKD) (§ 6 No. 5 DSG-EKD).
Additional notes on processing operations, procedures and services:
Bitly: URL shortening service and link management platform; Service provider: Bitly, Inc, 139 Fifth Avenue, 5th Floor, New York, NY 10010, USA; website: https://bitly.com; privacy policy: https://bitly.com/pages/privacy.
calendly: online appointment scheduling; service provider: Calendly LLC., 271 17th St NW, Ste 1000, Atlanta, Georgia, 30363, USA; Website: https://calendly.com/de; Privacy policy: https://calendly.com/pages/privacy; Order processing agreement: https://calendly.com/dpa; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://calendly.com/dpa.
HubSpot: social media publishing, reporting (e.g. traffic sources, access numbers, web analytics), contact management (e.g. contact forms, direct communication and user segmentation), landing pages; service provider: HubSpot, Inc., 25 First St., 2nd floor, Cambridge, Massachusetts 02141, USA; Website: https://www.hubspot.de; Privacy policy: https://legal.hubspot.com/de/privacy-policy; Order processing agreement: https://legal.hubspot.com/dpa; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://legal.hubspot.com/dpa.
Eventbrite: event platform and ticket reservation; service provider: Eventbrite, Inc, 155 5th Street, Floor 7, San Francisco, CA 94103, USAEventbrite has a representative for the purposes of European data protection legislation: Eventbrite NL BV located at Silodam 402, 1013AW, Amsterdam, The Netherlands; website: https://www.eventbrite.de; privacy policy: https://www.eventbrite.de/support/articles/de/Troubleshooting/datenschutzrichtlinie-von-eventbrite?lg=de; order processing agreement: https://www.eventbrite.de/support/articles/de/Troubleshooting/datenverarbeitungsnachtrag-fuer-auftragsverarbeiter-und-unterauftragsverarbeiter?lg=de.
Mentimeter: Creation of presentations and meetings with real-time feedback; Service provider: Mentimeter AB, Alströmergatan 22 SE-112 47 Stockholm, Sweden; website: https://www.mentimeter.com; privacy policy: https://www.mentimeter.com/policies.
We kindly ask you to regularly inform yourself about the content of our data protection declaration. We will adapt the data protection declaration as soon as changes to the data processing we carry out make this necessary. We will inform you as soon as the changes require your participation (e.g. consent) or any other individual notification.
If we provide addresses and contact information for companies and organizations in this data protection declaration, please note that the addresses may change over time and we ask that you check the information before contacting them.
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
Right to object: you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
Right to withdraw consent: You have the right to revoke any consent given at any time.
Right to information: you have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with the legal requirements.
Right to rectification: you have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be rectified.
Right to erasure and restriction of processing: In accordance with the legal requirements, you have the right to demand that data concerning you be deleted without delay, or alternatively, in accordance with the legal requirements, to demand restriction of the processing of the data.
Right to data portability: you have the right to receive data relating to you that you have provided to us in a structured, common and machine-readable format, or to request that it be transferred to another controller, in accordance with the law.
Complaint to supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you usually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
This section provides you with an overview of the terms used in this privacy policy. Many of the terms are taken from the law and defined primarily in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.
Conversion measurement: Conversion measurement (also referred to as “visit action evaluation”) is a procedure with which the effectiveness of marketing measures can be determined. For this purpose, a cookie is usually stored on the users’ devices within the websites on which the marketing measures take place and then retrieved again on the target website. For example, this enables us to track whether the ads we have placed on other websites have been successful.
Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Profiles with user-related information: The processing of “profiles with user-related information”, or “profiles” for short, includes any type of automated processing of personal data that consists in using such personal data to analyze, evaluate or to predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behavior and interests, such as interaction with websites and their content, etc.) (e.g., interests in certain content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
Reach measurement: Reach measurement (also known as web analytics) is used to evaluate the flow of visitors to an online offering and may include visitors’ behavior or interests in certain information, such as web page content. With the help of reach analysis, website owners can see, for example, at what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of the website to the needs of their visitors. For reach analysis purposes, pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more precise analyses of the use of an online offer.
Controller: “Controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, be it collection, analysis, storage, transmission or deletion.
The AI.STARTUP.HUB Hamburg promotes the successful growth of AI startups in Northern Germany with an entrepreneurial approach involving the entire AI ecosystem in the North, connecting leading startup and AI players with business, education and research.
Address:
AI for Hamburg GmbH, Neuer Jungfernstieg 5, 20354 Hamburg, Germany
E-Mail-Address:
info@aistartuphub.com
Telephone:
+49 40 2482 2851